Posted on

Client sylinked, Clients tab information Not available

I need a solution

Hi,

I had an old server version 12.1.7004.6500 which has crashed. I have sylinked all clients to a server 14MP2. When the clients were sylinked, I could see that they have connected with the SEPM 14MP2. Problem I am having is that no information is available on the SEPM. Information such as Client security patch version, current virus definitions etc. The Last Time Status Changed is actually the date when the sylink was done.

Can you please help. Thanks!

0
Posted on

Exception to allow inhouse written DLL

I need a solution

Hi All,

          Apologies if I have asked this question before. We are still on SEP 12 at the moment. We have a DLL that is an in house written file that keeps alerting in SEP as suspiceous and gets blocked occaisionally. Now, it is usually located in one of 4 paths and I have entered the paths in and the exclusion exceptions work fine. The problem is that this file can also be used in other locations. This means adding loads of extra exception rules which I do not want to do. Is there a way to just allow this filename (no path) to be ignored by SEP (would use the #md5 actually). So is it possible just to create a ADC rule to allow this particular DLL filename to be ignored by SEP?

Cheers

PaulC

0
Posted on

Clients Tab in SEPM should be filter enabled

SEPM console is a wonderful dashboard for viewing overall security status. This requirment is particular to provide filtering tools to clients tab of SEPM.. 
Some times we find ourself to track down certain set of clients in group for some action. Times we find difficult to create a set of clients based on multiple parameters. Thus, if we can put filters on columns it will assist us in great way to get selected client list based on more than one parameter.

for example: If i need to move all endpoints with below matching conditions to different group 
                      1. SEP client version = '12.1.7061.6600'
                      2. Health Status = 'Online'

Requirment is coming from background of ease of using filtering functionality in excel. Hopefully it will enhance administrator's capabilities to do stuff in SEPM console itself instead of extracting to csv/xls and analysing on excel spreadsheet. 
                 

Posted on

Migrate SQP SQL Data during SEP 12 to 14 upgrade

I need a solution

We currently got SEP 12 hosting its database on a SQL 2008 R2 Server and we are building new SEP 14 environemnt with SQL 2016 (the old SEP 12 & SQL 2008 R2 will continue to run in parallel). We have build new SEP 14 application server but we could not find any details on how to migrate (copy) the data from old SQL database to new SQL database. We have restored (overwrite) old sem5 database on new SQL Server but application fails possibly because old database scheme is different.

Is there a documented process on how to migrate the data from old SQL database to new database ?

0
Posted on

Best practice for Exceptions

I need a solution

I am trying to do some clean up and better management of our SEP environment. Currently we have our groups laid out in this fashion:

- Main company

       - default group

- Our organization

      - Servers

             (Under here are the individual server groups)

       - Workstations

             (Under here are the individual workstation groups)

Th issue I run into is that the individual groups do not inherit the policies of the parent (due to exceptions and such), so when I do have an exception that I need to apply to all devices, I have to go into every policy (Which currently sits at about 60) and add the exception in.

Is there a better way of managing the exceptions that apply to all devices, while still having the individual policies for application exceptions?

0
Posted on

Best practice for Exceptions

I need a solution

I am trying to do some clean up and better management of our SEP environment. Currently we have our groups laid out in this fashion:

- Main company

       - default group

- Our organization

      - Servers

             (Under here are the individual server groups)

       - Workstations

             (Under here are the individual workstation groups)

Th issue I run into is that the individual groups do not inherit the policies of the parent (due to exceptions and such), so when I do have an exception that I need to apply to all devices, I have to go into every policy (Which currently sits at about 60) and add the exception in.

Is there a better way of managing the exceptions that apply to all devices, while still having the individual policies for application exceptions?

0
Posted on

SEPM 12.1.6MP5 Port 80 Uses

I need a solution

I am running SEPM 12.1.6 MP5 on Windows Server 2012 R2 Datacenter with an external database. 

The server is in an extremely controlled environment and security is wanting us to justify Port 80.  We do not use LiveUpdate but import virus definitions from the previous day from our user network Symantec Server (by downloading the .jdb file) to this server as a requirement. Please don't get lost in the WHY we do that ... I just need to know if we can safely disable port 80 if we are not using Live Update?  I previously understood Port 80 was required for the User Interface Web GUI and/or communications between the SEPM and the client.  I have looked at several links and could not really verify my understanding of this port.  I appreciate any guidance you can lend.  Thanks!

0
1518539635
Posted on

SEPM 12.1.6MP5 Port 80 Uses

I need a solution

I am running SEPM 12.1.6 MP5 on Windows Server 2012 R2 Datacenter with an external database. 

The server is in an extremely controlled environment and security is wanting us to justify Port 80.  We do not use LiveUpdate but import virus definitions from the previous day from our user network Symantec Server (by downloading the .jdb file) to this server as a requirement. Please don't get lost in the WHY we do that ... I just need to know if we can safely disable port 80 if we are not using Live Update?  I previously understood Port 80 was required for the User Interface Web GUI and/or communications between the SEPM and the client.  I have looked at several links and could not really verify my understanding of this port.  I appreciate any guidance you can lend.  Thanks!

0
1518539635
Posted on

Install additional management server with embedded database.

I need a solution

Hi all!

I have SEPM 12.1.6 (12.1 RU6 MP) with embedded database on Windows 2008 Enterprise 32-bit  installed.

Because the new SEPM 14 doesn't support 32-bit systems, an in-place upgrade is impossible,so i have installed a new temporary server with Windows 2012 R2 64-bit

and trying to install additional SEPM management server to my site.

The problem is that installation wizard asks me about location of MS SQL Client tools and SQL server location and port ( i tryed both SEPM 12 & SEPM 14 ), and don't allow me to

choose Embedded database.

Why i need to install SQL server for 100-client installation? How can i install secondary management server with embedded database?

Regards, Alex

0
Posted on

Install additional management server with embedded database.

I need a solution

Hi all!

I have SEPM 12.1.6 (12.1 RU6 MP) with embedded database on Windows 2008 Enterprise 32-bit  installed.

Because the new SEPM 14 doesn't support 32-bit systems, an in-place upgrade is impossible,so i have installed a new temporary server with Windows 2012 R2 64-bit

and trying to install additional SEPM management server to my site.

The problem is that installation wizard asks me about location of MS SQL Client tools and SQL server location and port ( i tryed both SEPM 12 & SEPM 14 ), and don't allow me to

choose Embedded database.

Why i need to install SQL server for 100-client installation? How can i install secondary management server with embedded database?

Regards, Alex

0
Posted on

Where does Linux put the file cache?

I need a solution

I've determined that only local files get cached by Symantec.  This means that if you are accessing a file on a shared drive on a server, it will not be cached, and Symantec will have to scan it every single time it is accessed.  What I am trying to determine is whether putting AV on the servers would improve speed.  Right now, no data comes in through the servers, so AV was only installed on the clients.  The catch is that the servers handle many files.  For caching to be advantageous, the cache would need to be very large.  If it's going to be large, we need to know where it gets stored.  So...

Where does Linux put the file cache?

0
Posted on

Where does Linux put the file cache?

I need a solution

I've determined that only local files get cached by Symantec.  This means that if you are accessing a file on a shared drive on a server, it will not be cached, and Symantec will have to scan it every single time it is accessed.  What I am trying to determine is whether putting AV on the servers would improve speed.  Right now, no data comes in through the servers, so AV was only installed on the clients.  The catch is that the servers handle many files.  For caching to be advantageous, the cache would need to be very large.  If it's going to be large, we need to know where it gets stored.  So...

Where does Linux put the file cache?

0
Posted on

Trace SMB Double Pulsar Attack Source Machines

At times you may be reported by users about Symantec Client tray icon Notification "[SID: <pid number> Attack: SMB Double Pulsar..]" 

Similiar as below 

First measure no need to panic your machine is secure by Symantec Endpoint Protection.

Second step is to trace source of attack.
As primary suspect one of network machines seems to be reason of attack to trace that machine SEPM Logs or Monitor Summary can assist us. 

Option 1. SEPM Console GUI : Monitors → Summary (Tab) → Network and Host Exploit Mitigation (drop down) → Top Sources of Attack (frame) 

Option 2. SEPM Logs : Monitors → Logs (Tab) → Log Type 'Network and Host Exploit Mitigation' → Log Content 'Attack' → View Log (Button) 
                Extract Logs to spreadsheet and filter on column 'Event Description' for two selections 

[SID: <pid Number>] Attack: SMB Double Pulsar Ping attack blocked. Traffic has been blocked for this application: SYSTEM
[SID: <pid Number>] OS Attack: Microsoft SMB MS17-010 Disclosure Attempt attack blocked. Traffic has been blocked for this application: SYSTEM

Find unique 'Remote Host IP'

Third Step is to clean source machines with infection. DIsconnect machines and install SEP if not present and update with latest definition. Full scan for cleaning infection. It may ask for restart of machine.

Posted on

Trace SMB Double Pulsar Attack Source Machines

At times you may be reported by users about Symantec Client tray icon Notification "[SID: <pid number> Attack: SMB Double Pulsar..]" 

Similiar as below 

First measure no need to panic your machine is secure by Symantec Endpoint Protection.

Second step is to trace source of attack.
As primary suspect one of network machines seems to be reason of attack to trace that machine SEPM Logs or Monitor Summary can assist us. 

Option 1. SEPM Console GUI : Monitors → Summary (Tab) → Network and Host Exploit Mitigation (drop down) → Top Sources of Attack (frame) 

Option 2. SEPM Logs : Monitors → Logs (Tab) → Log Type 'Network and Host Exploit Mitigation' → Log Content 'Attack' → View Log (Button) 
                Extract Logs to spreadsheet and filter on column 'Event Description' for two selections 

[SID: <pid Number>] Attack: SMB Double Pulsar Ping attack blocked. Traffic has been blocked for this application: SYSTEM
[SID: <pid Number>] OS Attack: Microsoft SMB MS17-010 Disclosure Attempt attack blocked. Traffic has been blocked for this application: SYSTEM

Find unique 'Remote Host IP'

Third Step is to clean source machines with infection. DIsconnect machines and install SEP if not present and update with latest definition. Full scan for cleaning infection. It may ask for restart of machine.